Vanity Nameservers and Glue Records Explained
How vanity nameservers work, when glue records are required, and the operational risks of branded NS hostnames like ns1.example.com.
TL;DR
Vanity nameservers are branded NS hostnames such as ns1.example.com instead of provider-owned names like ns1.dnscale.eu. They are mostly a branding and reseller feature, not a reliability feature. If the nameserver hostname lives inside the domain it serves, the parent zone needs glue A/AAAA records so resolvers can find the nameserver without getting stuck in a circular lookup.
What you'll learn
- Explain what vanity nameservers are
- Show when glue records are required
- Distinguish in-bailiwick and out-of-bailiwick nameservers
- Avoid DNSSEC and migration mistakes with custom nameservers
Vanity nameservers are custom nameserver names that use your domain:
ns1.example.com
ns2.example.cominstead of provider-owned names:
ns1.dnscale.eu
ns2.dnscale.euThey are useful for branding, reseller setups, and some enterprise procurement rules. They do not make DNS faster by themselves.
What a Nameserver Hostname Does
A delegation says which authoritative nameservers serve a zone:
example.com. NS ns1.dnscale.eu.
example.com. NS ns2.dnscale.eu.With vanity nameservers, the delegation might become:
example.com. NS ns1.example.com.
example.com. NS ns2.example.com.Those hostnames still need to resolve to real authoritative DNS infrastructure.
The Circular Lookup Problem
Here is the problem:
example.com is served by ns1.example.com
but ns1.example.com is inside example.com
so how does a resolver find ns1.example.com before it can query example.com?That is what glue records solve.
The parent zone publishes the IP address alongside the delegation:
example.com. NS ns1.example.com.
ns1.example.com. A 203.0.113.53 ; glue at the parentNow a resolver can reach the nameserver and ask it for the zone.
In-Bailiwick vs Out-of-Bailiwick
Two terms matter:
| Nameserver | Example | Glue needed? |
|---|---|---|
| In-bailiwick | ns1.example.com serving example.com | Yes |
| Out-of-bailiwick | ns1.provider.example serving example.com | Usually no |
If the nameserver lives inside the zone it serves, glue is needed at the parent.
If the nameserver lives under a different domain, the resolver can resolve that nameserver through the normal DNS hierarchy.
Where Glue Records Are Managed
Glue records are managed at the registrar or registry interface, not inside your normal DNS zone editor.
For example.com, the .com parent needs to know:
ns1.example.com -> 203.0.113.53
ns2.example.com -> 203.0.113.54You may also publish matching A/AAAA records inside the child zone:
ns1 300 IN A 203.0.113.53
ns2 300 IN A 203.0.113.54But those child-zone records do not replace parent-side glue. They are used after delegation works.
Setup Pattern
A safe vanity nameserver setup usually looks like this:
- Ask your DNS provider for the target IPs and supported hostnames.
- Create host objects or glue records at the registrar.
- Add matching A/AAAA records in the DNS zone.
- Change the domain's NS delegation to the vanity nameservers.
- Verify from the parent:
dig NS example.com @a.gtld-servers.net
dig A ns1.example.com @a.gtld-servers.net- Verify the authoritative answer:
dig SOA example.com @ns1.example.comDo not skip parent-side checks. Your dashboard can look correct while the registry delegation is still wrong.
DNSSEC Considerations
Vanity nameservers and DNSSEC can coexist, but migrations need care.
The two dangerous mistakes:
- changing nameservers while the parent still has a DS record for the old signing keys
- changing DNSSEC keys while resolvers still cache old delegation data
If you are migrating signed DNS:
- Lower TTLs before the migration.
- Confirm the new provider signs the zone correctly.
- Publish the correct DS record at the registrar.
- Verify with multiple validating resolvers.
- Remove old DS data only when it is safe.
For a full walkthrough, see DNS migration with zero downtime and DNSSEC setup for DNScale.
When Vanity Nameservers Are Worth It
They make sense for:
- agencies and resellers
- platforms that want customer-facing branded DNS
- enterprise policy requiring branded infrastructure names
- white-label hosting
They are usually not worth it for:
- ordinary SaaS domains
- small business websites
- teams without a specific branding or reseller requirement
- anyone trying to improve performance
Provider-owned nameservers are simpler, easier to migrate, and less likely to create glue-record mistakes.
Common Mistakes
Creating records only in the child zone
This is not enough:
ns1 300 IN A 203.0.113.53If ns1.example.com is used as a nameserver for example.com, the parent still needs glue.
Forgetting IPv6 glue
If the nameserver has IPv6, add AAAA glue too:
ns1.example.com -> 2001:db8::53Assuming vanity nameservers hide the provider
They hide the provider name from the NS hostname. They do not hide routing, ASN, IP ownership, SOA values, or operational fingerprints.
Related Reading
Frequently asked questions
- What are vanity nameservers?
- Vanity nameservers are custom or branded nameserver hostnames, such as ns1.example.com, that point to a DNS provider's authoritative infrastructure.
- Do vanity nameservers improve DNS performance?
- No. They are mainly branding. Performance depends on the provider's authoritative network, not the text of the NS hostname.
- What is a glue record?
- A glue record is an A or AAAA record stored at the parent zone so resolvers can find an in-bailiwick nameserver. For example, if example.com uses ns1.example.com, the .com zone needs the IP address for ns1.example.com.
- When do I need glue?
- You need glue when a domain is delegated to nameservers inside that same domain, such as example.com delegated to ns1.example.com.
- Can I use vanity nameservers with DNSSEC?
- Yes, but be careful during migrations. Nameserver changes and DS-record changes must be ordered correctly or validating resolvers may return SERVFAIL.
- Should most teams use vanity nameservers?
- No. Standard provider nameservers are simpler and safer. Use vanity nameservers when branding, reseller packaging, or policy requires them.
Related guides
Records
DNS A Record Explained ā What It Is and How to Use It
Learn what a DNS A record is, how it maps domain names to IPv4 addresses, and how to create, query, and troubleshoot A records with practical dig command examples.
Records
DNS AAAA Record Explained ā IPv6 Address Mapping
Learn what a DNS AAAA record is, how it maps domain names to IPv6 addresses, and how to set up dual-stack DNS with practical dig command examples.
Records
DNS CNAME Record Explained ā Aliases and Canonical Names
Learn how DNS CNAME records create domain aliases, when to use them over A records, and how to avoid common pitfalls like apex restrictions and CNAME chains.
Records
DNS MX Record Explained ā Mail Exchange Configuration
Learn how DNS MX records route email to mail servers, configure priority-based failover, and set up MX records for Google Workspace, Microsoft 365, and self-hosted mail.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free